* [PATCH v2 0/3] More work on deprecation/removal of clear text passwords @ 2022-12-16 11:31 Daniel P. Berrangé 2022-12-16 11:31 ` [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi Daniel P. Berrangé ` (2 more replies) 0 siblings, 3 replies; 7+ messages in thread From: Daniel P. Berrangé @ 2022-12-16 11:31 UTC (permalink / raw) To: qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé This deprecates the -iscsi clear text 'password' option and deletes the previously deprecated -spice 'password' option. Changed in v2: * Fixed section placement for iscsi deprecation docs * Fixed missing brackets in -iscsi help * Write in past tense for -spice password removal docs Daniel P. Berrangé (3): block: mention 'password-secret' option for -iscsi block: deprecate iSCSI 'password' in favour of 'password-secret' ui: remove deprecated 'password' option for SPICE block/iscsi.c | 3 +++ docs/about/deprecated.rst | 16 ++++++++-------- docs/about/removed-features.rst | 7 +++++++ qemu-options.hx | 13 +++---------- ui/spice-core.c | 15 --------------- 5 files changed, 21 insertions(+), 33 deletions(-) -- 2.38.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi 2022-12-16 11:31 [PATCH v2 0/3] More work on deprecation/removal of clear text passwords Daniel P. Berrangé @ 2022-12-16 11:31 ` Daniel P. Berrangé 2022-12-16 13:52 ` Fabiano Rosas 2022-12-16 11:31 ` [PATCH v2 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' Daniel P. Berrangé 2022-12-16 11:31 ` [PATCH v2 3/3] ui: remove deprecated 'password' option for SPICE Daniel P. Berrangé 2 siblings, 1 reply; 7+ messages in thread From: Daniel P. Berrangé @ 2022-12-16 11:31 UTC (permalink / raw) To: qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé, Markus Armbruster The 'password-secret' option was added commit b189346eb1784df95ed6fed610411dbf23d19e1f Author: Daniel P. Berrangé <berrange@redhat.com> Date: Thu Jan 21 14:19:21 2016 +0000 iscsi: add support for getting CHAP password via QCryptoSecret API but was not mentioned in the command line docs Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- qemu-options.hx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qemu-options.hx b/qemu-options.hx index 7f99d15b23..58efb58072 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1889,8 +1889,8 @@ SRST ERST DEF("iscsi", HAS_ARG, QEMU_OPTION_iscsi, - "-iscsi [user=user][,password=password]\n" - " [,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE\n" + "-iscsi [user=user][,password=password][,password-secret=secret-id]\n" + " [,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE]\n" " [,initiator-name=initiator-iqn][,id=target-iqn]\n" " [,timeout=timeout]\n" " iSCSI session parameters\n", QEMU_ARCH_ALL) -- 2.38.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi 2022-12-16 11:31 ` [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi Daniel P. Berrangé @ 2022-12-16 13:52 ` Fabiano Rosas 0 siblings, 0 replies; 7+ messages in thread From: Fabiano Rosas @ 2022-12-16 13:52 UTC (permalink / raw) To: Daniel P. Berrangé, qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé, Markus Armbruster Daniel P. Berrangé <berrange@redhat.com> writes: > The 'password-secret' option was added > > commit b189346eb1784df95ed6fed610411dbf23d19e1f > Author: Daniel P. Berrangé <berrange@redhat.com> > Date: Thu Jan 21 14:19:21 2016 +0000 > > iscsi: add support for getting CHAP password via QCryptoSecret API > > but was not mentioned in the command line docs > > Reviewed-by: Markus Armbruster <armbru@redhat.com> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' 2022-12-16 11:31 [PATCH v2 0/3] More work on deprecation/removal of clear text passwords Daniel P. Berrangé 2022-12-16 11:31 ` [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi Daniel P. Berrangé @ 2022-12-16 11:31 ` Daniel P. Berrangé 2022-12-16 13:54 ` Fabiano Rosas 2022-12-16 11:31 ` [PATCH v2 3/3] ui: remove deprecated 'password' option for SPICE Daniel P. Berrangé 2 siblings, 1 reply; 7+ messages in thread From: Daniel P. Berrangé @ 2022-12-16 11:31 UTC (permalink / raw) To: qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé Support for referencing secret objects was added in commit b189346eb1784df95ed6fed610411dbf23d19e1f Author: Daniel P. Berrangé <berrange@redhat.com> Date: Thu Jan 21 14:19:21 2016 +0000 iscsi: add support for getting CHAP password via QCryptoSecret API The existing 'password' option is overdue for deprecation and subsequent removal. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- block/iscsi.c | 3 +++ docs/about/deprecated.rst | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/block/iscsi.c b/block/iscsi.c index a316d46d96..58c0623052 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -1352,6 +1352,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts, } else if (!password) { error_setg(errp, "CHAP username specified but no password was given"); return; + } else { + warn_report("iSCSI block driver 'password' option is deprecated, " + "use 'password-secret' instead"); } if (iscsi_set_initiator_username_pwd(iscsi, user, password)) { diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 93affe3669..daf2334040 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -333,6 +333,14 @@ The above, converted to the current supported format:: json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"} +``iscsi,password=xxx`` (since 8.0) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Specifying the iSCSI password in plain text on the command line using the +``password`` option is insecure. The ``password-secret`` option should be +used instead, to refer to a ``--object secret...`` instance that provides +a password via a file, or encrypted. + Backwards compatibility ----------------------- -- 2.38.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' 2022-12-16 11:31 ` [PATCH v2 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' Daniel P. Berrangé @ 2022-12-16 13:54 ` Fabiano Rosas 0 siblings, 0 replies; 7+ messages in thread From: Fabiano Rosas @ 2022-12-16 13:54 UTC (permalink / raw) To: Daniel P. Berrangé, qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé Daniel P. Berrangé <berrange@redhat.com> writes: > Support for referencing secret objects was added in > > commit b189346eb1784df95ed6fed610411dbf23d19e1f > Author: Daniel P. Berrangé <berrange@redhat.com> > Date: Thu Jan 21 14:19:21 2016 +0000 > > iscsi: add support for getting CHAP password via QCryptoSecret API > > The existing 'password' option is overdue for deprecation and > subsequent removal. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 3/3] ui: remove deprecated 'password' option for SPICE 2022-12-16 11:31 [PATCH v2 0/3] More work on deprecation/removal of clear text passwords Daniel P. Berrangé 2022-12-16 11:31 ` [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi Daniel P. Berrangé 2022-12-16 11:31 ` [PATCH v2 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' Daniel P. Berrangé @ 2022-12-16 11:31 ` Daniel P. Berrangé 2022-12-16 13:56 ` Fabiano Rosas 2 siblings, 1 reply; 7+ messages in thread From: Daniel P. Berrangé @ 2022-12-16 11:31 UTC (permalink / raw) To: qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé, Markus Armbruster This has been replaced by the 'password-secret' option, which references a 'secret' object instance. Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- docs/about/deprecated.rst | 8 -------- docs/about/removed-features.rst | 7 +++++++ qemu-options.hx | 9 +-------- ui/spice-core.c | 15 --------------- 4 files changed, 8 insertions(+), 31 deletions(-) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index daf2334040..8fbe7cb5fe 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -73,14 +73,6 @@ Input parameters that take a size value should only use a size suffix the value is hexadecimal. That is, '0x20M' is deprecated, and should be written either as '32M' or as '0x2000000'. -``-spice password=string`` (since 6.0) -'''''''''''''''''''''''''''''''''''''' - -This option is insecure because the SPICE password remains visible in -the process listing. This is replaced by the new ``password-secret`` -option which lets the password be securely provided on the command -line using a ``secret`` object instance. - ``-smp`` ("parameter=0" SMP configurations) (since 6.2) ''''''''''''''''''''''''''''''''''''''''''''''''''''''' diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst index 63df9848fd..2cbb1b7afe 100644 --- a/docs/about/removed-features.rst +++ b/docs/about/removed-features.rst @@ -408,6 +408,13 @@ pcspk-audiodev=<name>``. Use ``-device`` instead. +``-spice password=string`` (removed in 8.0) +''''''''''''''''''''''''''''''''''''''''''' + +This optionwas insecure because the SPICE password remained visible in +the process listing. This was replaced by the new ``password-secret`` +option which lets the password be securely provided on the command +line using a ``secret`` object instance. QEMU Machine Protocol (QMP) commands ------------------------------------ diff --git a/qemu-options.hx b/qemu-options.hx index 58efb58072..847d71e567 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -2132,7 +2132,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice, " [,tls-channel=[main|display|cursor|inputs|record|playback]]\n" " [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n" " [,sasl=on|off][,disable-ticketing=on|off]\n" - " [,password=<string>][,password-secret=<secret-id>]\n" + " [,password-secret=<secret-id>]\n" " [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n" " [,jpeg-wan-compression=[auto|never|always]]\n" " [,zlib-glz-wan-compression=[auto|never|always]]\n" @@ -2158,13 +2158,6 @@ SRST ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off`` Force using the specified IP version. - ``password=<string>`` - Set the password you need to authenticate. - - This option is deprecated and insecure because it leaves the - password visible in the process listing. Use ``password-secret`` - instead. - ``password-secret=<secret-id>`` Set the ID of the ``secret`` object containing the password you need to authenticate. diff --git a/ui/spice-core.c b/ui/spice-core.c index 72f8f1681c..76f7c2bc3d 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = { .name = "unix", .type = QEMU_OPT_BOOL, #endif - },{ - .name = "password", - .type = QEMU_OPT_STRING, },{ .name = "password-secret", .type = QEMU_OPT_STRING, @@ -666,20 +663,8 @@ static void qemu_spice_init(void) } passwordSecret = qemu_opt_get(opts, "password-secret"); if (passwordSecret) { - if (qemu_opt_get(opts, "password")) { - error_report("'password' option is mutually exclusive with " - "'password-secret'"); - exit(1); - } password = qcrypto_secret_lookup_as_utf8(passwordSecret, &error_fatal); - } else { - str = qemu_opt_get(opts, "password"); - if (str) { - warn_report("'password' option is deprecated and insecure, " - "use 'password-secret' instead"); - password = g_strdup(str); - } } if (tls_port) { -- 2.38.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 3/3] ui: remove deprecated 'password' option for SPICE 2022-12-16 11:31 ` [PATCH v2 3/3] ui: remove deprecated 'password' option for SPICE Daniel P. Berrangé @ 2022-12-16 13:56 ` Fabiano Rosas 0 siblings, 0 replies; 7+ messages in thread From: Fabiano Rosas @ 2022-12-16 13:56 UTC (permalink / raw) To: Daniel P. Berrangé, qemu-devel Cc: Gerd Hoffmann, Paolo Bonzini, Hanna Reitz, qemu-block, Peter Lieven, Kevin Wolf, libvir-list, Ronnie Sahlberg, Daniel P. Berrangé, Markus Armbruster Daniel P. Berrangé <berrange@redhat.com> writes: > This has been replaced by the 'password-secret' option, > which references a 'secret' object instance. > > Reviewed-by: Markus Armbruster <armbru@redhat.com> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Just a small detail below. > --- > docs/about/deprecated.rst | 8 -------- > docs/about/removed-features.rst | 7 +++++++ > qemu-options.hx | 9 +-------- > ui/spice-core.c | 15 --------------- > 4 files changed, 8 insertions(+), 31 deletions(-) > > diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst > index daf2334040..8fbe7cb5fe 100644 > --- a/docs/about/deprecated.rst > +++ b/docs/about/deprecated.rst > @@ -73,14 +73,6 @@ Input parameters that take a size value should only use a size suffix > the value is hexadecimal. That is, '0x20M' is deprecated, and should > be written either as '32M' or as '0x2000000'. > > -``-spice password=string`` (since 6.0) > -'''''''''''''''''''''''''''''''''''''' > - > -This option is insecure because the SPICE password remains visible in > -the process listing. This is replaced by the new ``password-secret`` > -option which lets the password be securely provided on the command > -line using a ``secret`` object instance. > - > ``-smp`` ("parameter=0" SMP configurations) (since 6.2) > ''''''''''''''''''''''''''''''''''''''''''''''''''''''' > > diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst > index 63df9848fd..2cbb1b7afe 100644 > --- a/docs/about/removed-features.rst > +++ b/docs/about/removed-features.rst > @@ -408,6 +408,13 @@ pcspk-audiodev=<name>``. > > Use ``-device`` instead. > > +``-spice password=string`` (removed in 8.0) > +''''''''''''''''''''''''''''''''''''''''''' > + > +This optionwas insecure because the SPICE password remained visible in Missing a space here. > +the process listing. This was replaced by the new ``password-secret`` > +option which lets the password be securely provided on the command > +line using a ``secret`` object instance. > > QEMU Machine Protocol (QMP) commands > ------------------------------------ > diff --git a/qemu-options.hx b/qemu-options.hx > index 58efb58072..847d71e567 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -2132,7 +2132,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice, > " [,tls-channel=[main|display|cursor|inputs|record|playback]]\n" > " [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n" > " [,sasl=on|off][,disable-ticketing=on|off]\n" > - " [,password=<string>][,password-secret=<secret-id>]\n" > + " [,password-secret=<secret-id>]\n" > " [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n" > " [,jpeg-wan-compression=[auto|never|always]]\n" > " [,zlib-glz-wan-compression=[auto|never|always]]\n" > @@ -2158,13 +2158,6 @@ SRST > ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off`` > Force using the specified IP version. > > - ``password=<string>`` > - Set the password you need to authenticate. > - > - This option is deprecated and insecure because it leaves the > - password visible in the process listing. Use ``password-secret`` > - instead. > - > ``password-secret=<secret-id>`` > Set the ID of the ``secret`` object containing the password > you need to authenticate. > diff --git a/ui/spice-core.c b/ui/spice-core.c > index 72f8f1681c..76f7c2bc3d 100644 > --- a/ui/spice-core.c > +++ b/ui/spice-core.c > @@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = { > .name = "unix", > .type = QEMU_OPT_BOOL, > #endif > - },{ > - .name = "password", > - .type = QEMU_OPT_STRING, > },{ > .name = "password-secret", > .type = QEMU_OPT_STRING, > @@ -666,20 +663,8 @@ static void qemu_spice_init(void) > } > passwordSecret = qemu_opt_get(opts, "password-secret"); > if (passwordSecret) { > - if (qemu_opt_get(opts, "password")) { > - error_report("'password' option is mutually exclusive with " > - "'password-secret'"); > - exit(1); > - } > password = qcrypto_secret_lookup_as_utf8(passwordSecret, > &error_fatal); > - } else { > - str = qemu_opt_get(opts, "password"); > - if (str) { > - warn_report("'password' option is deprecated and insecure, " > - "use 'password-secret' instead"); > - password = g_strdup(str); > - } > } > > if (tls_port) { ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-12-16 13:56 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-12-16 11:31 [PATCH v2 0/3] More work on deprecation/removal of clear text passwords Daniel P. Berrangé 2022-12-16 11:31 ` [PATCH v2 1/3] block: mention 'password-secret' option for -iscsi Daniel P. Berrangé 2022-12-16 13:52 ` Fabiano Rosas 2022-12-16 11:31 ` [PATCH v2 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' Daniel P. Berrangé 2022-12-16 13:54 ` Fabiano Rosas 2022-12-16 11:31 ` [PATCH v2 3/3] ui: remove deprecated 'password' option for SPICE Daniel P. Berrangé 2022-12-16 13:56 ` Fabiano Rosas
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.